The term xauth is generally applied with VPN's, but you can certainly do user authentication for traffic going through a PIX without a VPN in place.
See http://www.cisco.com/warp/public/110/atp52.html
Note the PIX will only authenticate using HTTP, FTP or Telnet type traffic, so your users will have to use that traffic to authenticate, then they'll be allowed to use SSL to go through.